(0day) Local Privilege Escalation in IObit Malware Fighter# Description
* The PoC program exploits the IMFForceDelete driver which exposes an ioctl that allows unprivileged users to delete files and folders. We can turn this into a privilege escalation by using a technique explained by ZDI and Halov, which exploits the MSI rollback mechanism which is designed to maintain system integrity in case of issues. By deleting and recreating it with a weak DACL and fake RBF and RBS files we can gain the ability to make arbitrary changes to the system as NT AUTHORITY\SYSTEM.
# VID
https://github.com/user-attachments/assets/58e343d2-97a4-4ca3-9deb-df911b717a57
# CREDITS
* [Halov](https://x.com/KLINIX5)
* [ZDI](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks-archive)
* [vx-underground and #ifndef hjonk](https://x.com/vxunderground/status/1876670819411407188)
[4.0K] /data/pocs/9812dfc02b6b73580aa97852583a4d352d2feb1f
├── [4.0K] PoC
│ ├── [558K] 5eeabb3.rbs
│ ├── [2.1K] FolderOrFileDeleteToSystem.rc
│ ├── [1.3K] Header.h
│ ├── [184K] Msi_EoP.msi
│ ├── [ 20K] NtDefine.h
│ ├── [ 12K] PoC.cpp
│ ├── [1.5K] PoC.filters
│ ├── [8.5K] PoC.vcxproj
│ ├── [ 541] resource.h
│ └── [ 12K] SystemCmdLauncher.dll
├── [1.4K] PoC.sln
└── [ 888] README.md
1 directory, 12 files